from the to-keep-up-with-the-bad-guys,-we're-just-going-to-need-the...-EVERYTHING dept

The DOJ wants to amend Rule 41 (Search and Seizure) to grant its agencies unilateral powers to hack any computer in the world. This would expand its reach beyond the US, using warrants granted by magistrate judges to facilitate searches and seizures of remote data. This would obviously open up a whole diplomatic can of worms, what with the FBI hacking into computers whose locations it can't ascertain until after the fact.

Not that the DOJ is bothered by the implications of the amendment it's pushing. It argues that the law already has determined searches in known jurisdictions legal. What's left to be established is whether it's similarly legal to search computers whose true location is unknown, thanks to the use of proxies and VPNs. That operating extraterritorially might cause some diplomatic strain or possibly even be illegal in the country the search takes place doesn't seem to have crossed its mind. In its opinion, this is the natural progression of Rule 41, which must be updated to reflect the change in technology.

Although the proposed amendment disclaims association with any constitutional questions, it invariably expands the scope of law enforcement searches, weakens the Fourth Amendment's particularity and notice requirements, opens the door to potentially unreasonable searches and seizures, and expands the practice of covert entry warrants.

Google then suggests that if the DOJ wishes to keep stripping away these protections, it should have the decency to do it the way it's usually been done: through acts of Congress.

The substantive changes offered by the proposed amendment, if they are to occur, should be the work of congressional lawmaking. Such was the case with a slew of legislation providing law enforcement with the ability to use technological means to conduct invasive searches on targets, including the Foreign Intelligence Surveillance Act, which provides law enforcement with the ability to legally surveil and collect foreign intelligence information; Title III of the Omnibus Crime Control and Safe Streets Act of 1968, which provides law enforcement with the ability to legally intercept wire, oral, and electronic communications; the Stored Communications Act, which provides law enforcement with the ability to legally access electronically stored communications; and the Pen Registers and Trap and Trace Act and USA PATRIOT Act, both of which provide law enforcement with the ability to legally intercept real-time telephony metadata. In passing this legislation, Congress was able to openly debate and weigh the various constitutional issues at play.

"I empathize that it is very hard to get a legislative change," Amie Stepanovich, senior policy counsel with Access, a digital-freedom group, told the judicial panel during a meeting called to review the proposal in November. "However, when you have us resorting to Congress to get increased privacy protections, we would also like to see the government turn to Congress to get increased surveillance authority."

Google also warns that the non-specific wording of the proposal lends itself to all sorts of shady tactics.

There are a myriad of serious concerns accompanying the government's use of NITs [Network Investigative Techniques]. These are outlined in detail in other comments submitted to the Committee and include, among other things, the creation of vulnerabilities in the target device thereby increasing the target's risk of exposure to compromise by other parties, actual damage to the target device, the creation of a market for zero-day exploits, and unintended targets' exposure to malware. Additionally, the remote facilities accessed by the government may in fact identify and disclose the 'hack' or take action to prevent it or retaliate against its use. These are serious concerns that are more appropriately considered and balanced by Congress than by the Committee.

Again, with the exception of the eventuality listed last, these are side effects the DOJ couldn't care less about. Collateral damage is almost always acceptable, and at this point -- considering what we've learned about the tactics deployed by the NSA and other intelligence agencies -- making things worse and less safe for the world's citizens is just another essential part of fighting Wars on Things.

The DOJ seems to view its proposal as a necessity in the race against technological advance, rather than a dangerous expansion of power that could result in some very negative repercussions. Unfortunately, the nation's prosecutors and magistrate judges seem to be very much aligned with the DOJ. Both refer to the Rule 41 change as "filling a significant gap" in existing law.

But it does far more than that. The DOJ argues it's just a needed tweak, but it gives its agencies unprecedented extraterritorial powers and encourages these investigators to view anonymous connections as inherently suspicious.

from the time-to-take-the-3rd-party-doctrine-'round-back-and-put-it-out-of-everyone dept

The question of whether law enforcement's warrantless (and subpoena-less) access to hotel records falls outside the confines of the Constitution will be answered by the Supreme Court. An en banc hearing by the Ninth Circuit Court found that Los Angeles' ordinance granting local law enforcement this power was unconstitutional. Not content with this finding, the city of Los Angeles has managed to bump it up to the highest judicial level.

Along the way, the city has argued that its access-on-demand doesn't constitute a search, much less violate hotel owners' (or their customers') civil liberties. It also argued that the end justifies the means, and that because the files were often electronic, there was no real intrusion. The city's arguments rely heavily on two oft-misused Fourth Amendment-related terms: "reasonable expectation of privacy" and the infamous "Third Party Doctrine."

As we’ve done in many prior briefs, we discourage the Court from applying the “reasonable expectation of privacy” test. “Reasonable expectations” doctrine is a contortion of the Fourth Amendment that springs from one concurrence in a 1967 case. Rather than estimating whether hoteliers have a “privacy expectation” in their records, we invite the Court to adhere to the Fourth Amendment’s language and determine whether the the right of Los Angeles hoteliers “to be secure in their persons, houses, papers, and effects” is protected by a statute that permits any search of their records law enforcement should want.

The same could be said for hotel guests, whose expectation that any info turned over in exchange for access to a room would be limited to them and the business owners -- and not forcibly "shared" with any law enforcement officer who happened to wander into the building.

The brief also argues that the court should revisit the Third Party Doctrine, as long as it has the eternally-ethereal "reasonable expectation of privacy" on its mind. This doctrine has been used to justify all sorts of warrantless demands for data, as well as forming the backbone of the NSA's most infamous domestic surveillance program, the Section 215 telephone metadata dragnet.

The argument frequently deployed by the government is that any information voluntarily turned over to a third party is fair game. But is the information gathered by hotel/motel operators, in any shape or form, voluntary? The answer should be obvious, but has rarely been given by federal judges. A hotel owner isn't going to give someone a room unless they give up a certain amount of personal information. It clearly isn't voluntary. It's a requirement -- one that's no different than AT&T refusing to give you cellphone service unless it can collect data on calls made and received, along with a certain amount of location data to ensure no roaming fees go uncollected. This "exchange" is no more "voluntary" than the hotel/customer exchange. But yet, the government continues to insist it is, and it is very rarely challenged on this assertion.

As Cato points out, to continue to rely on a barely-there precedent from nearly 50 years ago is absurd. After all, if this outdated view on "reasonable expectation of privacy" was weaponized to turn businesses into ad hoc informants for intelligence and law enforcement agencies, it would be pure madness.

There would be no end to it if the government were allowed to require businesses to perform surveillance on its behalf. Banks could be made to collect and turn over sensitive financial information about customers. The phone company could be made to turn over information about Americans’ calling behavior. The list goes on.

Ha. It's funny because IT'S EXACTLY WHAT HAS HAPPENED.

The government has no "right" to warrantless access to anything it decides is "voluntarily" being turned over to third parties. Or, at least, it shouldn't have this right, but the courts (and secret laws with secret interpretations) have turned warrantless acquisition into the default mode. If the end is law enforcement, then these agencies need to be forced to produce something resembling "probable cause" in exchange for the wealth of data being generated by citizens every minute of every day. But respecting the Fourth Amendment is often pitched to judges as an impediment to efficient law enforcement. There has been some very recent pushback from the judicial branch that calls into question the long-held assumption that the ends are self-justifying. The same needs to happen here at the highest court in the land.

from the the-maiming-of-toddlers-is-acceptable-collateral-damage,-apparently dept

A Georgia state senator has announced a bill to limit the use of no-knock warrants. These warrants have gone from the exception to the rule over the past several years, as our nation's drug warriors apparently labor under the assumption that drug dealers keep banker's hours.

Of course, no-knock raids have resulted in plenty of collateral damage -- both to cops and civilians -- as the element of surprise tends to be bullet-and-flashbang heavy. It's the use of flashbang grenades that has prompted this new legislation, which unfortunately puts it into the category of "Laws Named After Victims," most of which are written badly and hastily.

The incident prompting this bill involved a 19-month-old toddler who was badly burned by a flashbang that landed in his crib. The police claimed they had no idea children might be present in the home, despite nearly tripping over the toys scattered around the yard in their haste to raid a house over a $50 drug purchase from a person who didn't even live at the residence.

House Bill 56, sponsored by Rep. Kevin Tanner, R-Dawsonville, would, in most cases, bar the use of no-knock warrants between 10 p.m. and 6 a.m.

It also requires law enforcement agencies to develop written policies and training for the use of the warrants, require a supervising officer to present when the warrant is executed, and requires police to swear that not using a no-knock warrant would pose “a significant and imminent danger to human life or imminent danger of evidence being destroyed.”

The last part of that sentence is the loophole. All it takes to acquire the "forbidden" no-knock warrant is for an officer to swear that "because reasons, most likely drugs/officer safety," no other type of warrant will do. If it passes the way it's written, it will end up preventing nearly nothing. Scott Greenfield sees this legislation as nothing more than a preemptive strike against further regulation of warrant service.

While one might applaud Tanner for doing anything, perhaps this is offered as a stop-gap measure to prevent more significant, more real, limitations on the execution of warrants that put citizens lives at risk for the sake of protecting cops.

Considering the overall uselessness of this "ban" on no-knock warrants, you'd think the police union would just keep its mouth shut and just be grateful no one has pushed for real oversight and reform. But no, the reps just can't help themselves. Any additional requirements are unwelcome… always.

"I don't think any changes are needed because it is not easy now," Mills said.

Define "easy," International Brotherhood of Police Officers union rep Carrie Mills. There's practically no oversight as it is. Most magistrate judges -- with few exceptions -- are more than happy to sign off on anything a cop puts in front of them. And higher courts oblige this rubberstamping by carving up even more "good faith" territory when granting immunity to law enforcement officers who screw up (accidentally or intentionally) their warrant apps.

Then Mills delivers this unbelievable statement, which is supposed to make us feel bad for poor cops facing a very slim possibility of having to cut back on their no-knocking, flashbanging raids.

"You have to draw the line between your right as a citizen to privacy and a community's right to live in a crime-free environment. You can't have them both," Mills said.

Oh, the old "freedom or security, but not both" argument, but badly paraphrased to fit the current situation. The protection of a right that doesn't actually exist ("right to live in a crime-free environment") supersedes a right acknowledged (and protected) by the Fourth Amendment.

Or to put it even more graphically -- considering the impetus for this proposed legislation: "You can live in a safe neighborhood or live a life free of horrific flashbang injuries, but not both." Those are your options as long as there's a war on drugs. And at the rate that war is going, it will be forever before law enforcement agencies agree to limit their use of no-knock warrants.

from the that's-not-how-it-works dept

Earlier this week, we wrote about how the feds got a warrant demanding all email and other information about three Wikileaks-associated reporters. While the warrants issued in 2012, Wikileaks only found out about it a few weeks ago when Google told them, saying that an earlier gag order had been partially lifted. Wikileaks lashed out at Google for not letting them know earlier. However, in response, Google has noted that it fought the request and that it was gagged from saying anything until now.

Google says it challenged the secrecy from the beginning and was able to alert the customers only after the gag orders on those warrants were partly lifted, said Gidari, a partner at Perkins Coie.

“From January 2011 to the present, Google has continued to fight to lift the gag orders on any legal process it has received on WikiLeaks,” he said, adding that the firm’s policy is to challenge all gag orders that have indefinite time periods.

But, much more interesting was a separate point made by the lawyer, Albert Gidari, over why the feds demanded the gag order:

According to Gidari, whose firm has represented both firms, Google’s delay was not the result of foot-dragging but of opposition from prosecutors who were upset by the backlash that followed the disclosure of their court orders to Twitter.

[....]

“The U.S. attorney’s office thought the notice and the resulting publicity was a disaster for them,” Gidari said. “They were very upset” about the prosecutor’s name and phone number being disclosed, he said. “They went through the roof.”

Gidari also claims that "Google litigated up and down through the courts trying to get the orders modified so that notice could be given."

If you don't recall, the feds attempt to get information from Twitter made headlines back in 2011 for trying to get access to Icelandic politician (and Wikileaks supporter) Birgitta Jonsdottir's account.

If it's true that this was truly the reason for the gag order, that is equal parts ridiculous, pathetic and dangerous. There are legitimate reasons for limited gag orders in specific cases at specific times. But a general, unending, broad gag order "because we don't like the backlash" is not one of them. At all. But that's what you get when there's no real oversight or pushback to the surveillance state.

from the good-for-them dept

We've written plenty about Stingrays and other "IMSI Catcher" devices that allow law enforcement to set up what are effectively fake cell phone towers, designed to intercept calls and locate certain individuals. These devices are deployed in near total secrecy, often by law enforcement who got them from the federal government. There is little to no oversight over how these are used (and abused). The attempts to keep the details a total secret represent really egregious behavior from all involved. As we've covered, police have claimed that non-disclosure agreements with the manufacturers (such as Harris Corp.) prevent them from getting a warrant to use the devices. The DOJ, somewhat famously, had a whole plan for how to mislead judges about the use of these devices, with official documentation telling DOJ officials to be "less than explicit" and "less than forthright" to judges about how the tech was being used. In some cases, the US Marshals have stepped in and seized documents from local police forces to block them from being released in response to FOIA requests.

In short, law enforcement really doesn't want how it uses these devices revealed. And yet, reporters and activists keep digging up more information, including the WSJ finding out that the US Marshals (them again!) have been putting airborne versions of these devices, called DRT boxes, on airplanes and flying them over cities, likely scooping up information on tons of innocent people with no warrant.

At least some in our government are concerned about this. Senators Patrick Leahy and Chuck Grassley have been pressing government officials on this, and before the holidays sent a letter to Attorney General Eric Holder and Homeland Security Boss Jeh Johnson demanding answers. One very interesting tidbit is that in response to some of this public disclosure, the FBI now, at least, gets warrants before using the technology -- but the Senators would like more details:

We wrote to FBI Director Comey in June seeking information about law enforcement use of cell-site simulators. Since then, our staff members have participated in two briefings with FBI officials, and at the most recent session they learned that the FBI recently changed its policy with respect to the type of legal process that it typically seeks before employing this type of technology. According to this new policy, the FBI now obtains a search warrant before deploying a cell-site simulator, although the policy contains a number of potentially broad exceptions and we continue to have questions about how it is being implemented in practice. Furthermore, it remains unclear how other agencies within the Department of Justice and Department of Homeland Security make use of cell-site simulators and what policies are in place to govern their use of that technology.

But, still, the Senators would like a few more details:

The Judiciary Committee needs a broader understanding of the full range of law enforcement agencies that use this technology, the policies in place to protect the privacy interests of those whose information might be collected using these devices, and the legal process that DOJ and DHS entities seek prior to using them.

For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

We have concerns about the scope of the exceptions. Specifically, we are concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests of other individuals who are not the targets of the interception, but whose information is nevertheless being collected when these devices are being used. We understand that the FBI believes that it can address these interests by maintaining that information for a short period of time and purging the information after it has been collected. But there is a question as to whether this sufficiently safeguards privacy interests.

The specific questions being asked:

1. Since the effective date of the FBI’s new policy:

a. How many times has the FBI used a cell-site simulator?
b. In how many of these instances was the use of the cell-site simulator authorized by a search warrant?
c. In how many of these instances was the use of the cell-site simulator authorized by some other form of legal process? Please identify the legal process used.
d. In how many of these instances was the cell-site simulator used without any legal process?
e. How many times has each of the exceptions to the search warrant policy, including those listed above, been used by the FBI?

2. From January 1, 2010, to the effective date of the FBI’s new policy:

a. How many times did the FBI use a cell-site simulator?
b. In how many of these instances was the use of a cell-site simulator authorized by a search warrant?
c. In how many of these instances was the use of the cell-site simulator authorized by some other form of legal process? Please identify the legal process used.
d. In how many of these instances was the cell-site simulator used without any legal process?
e. In how many of the instances referenced in Question 2(d) did the FBI use a cell-site simulator in a public place or other location in which the FBI deemed there is no reasonable expectation of privacy?

3. What is the FBI’s current policy on the retention and destruction of the information collected by cell-site simulators in all cases? How is that policy enforced?

4. What other DOJ and DHS agencies use cell-site simulators?

5. What is the policy of these agencies regarding the legal process needed for use of cell-site simulators?

a. Are these agencies seeking search warrants specific to the use of cell-site simulators?
b. If not, what legal authorities are they using?
c. Do these agencies make use of public place or other exceptions? If so, in what proportion of all instances in which the technology is used are exceptions relied upon?
d. What are these agencies’ policies on the retention and destruction of the information that is collected by cell-site simulators? How are those policies enforced?

6. What is the Department of Justice’s guidance to United States Attorneys’ Offices regarding the legal process required for the use of cell-site simulators?

7. Across all DOJ and DHS entities, what protections exist to safeguard the privacy interests of individuals who are not the targets of interception, but whose information is nevertheless being collected by cell-site simulators?

Anyone taking bets on how few of these questions will actually be answered?

from the if-you-don't-take-the-time-to-do-it-right,-you-don't-get-a-chance-to-do dept

When we fight crime, what do we fight? To hear those guarding the borders and all of the towns in between, it's generally a given that the Drug War is the top priority. Adding borders to the mix usually puts terrorism at a close second. The third? That's usually child porn/child molestation. It tends to shoot up the Public Enemy charts whenever someone drags social media or the internet into the discussion.

Considering that pretty much everyone agrees that child pornography is a bad thing, you'd think those in charge of busting possessors of this illegal content would be more careful. In two separate cases, child porn evidence has been thrown out by judges because officers failed to obtain warrants -- with both orders arriving within four days of each other.

The first comes from the Ninth Circuit Court of Appeals and deals with the illegal search of a border detainee's cellphone [pdf link].

Chad Camou was arrested by border patrol agents and his vehicle was searched. Camou invoked his right to remain silent at this point. While the search was ongoing, his cellphone was called several times by a number known to agents to be one of his accomplices. An agent began warrantlessly searching his phone -- originally for contact information but later took a look at Camou's saved photos. That's when he came across the child porn photos. He alerted his superiors to this fact. The search of the phone occurred 80 minutes after Camou's arrest. The warrant to search his phone wasn't obtained for another four days.

The court suppressed the evidence, stating several factors. First, it wasn't a search "incident to arrest" because too much time had elapsed since Camou's arrest and the agent's search of the phone. The court also pointed out that the "exigent circumstances" exception could not be deployed in this situation because the scope of the search exceeded the circumstances.

Most importantly, the court ruled that, in light of the recent Riley decision, that a cellphone does not fall under the "automobile exception," i.e., anything contained within the vehicle being searched can also be examined without a warrant.

Given the Court’s extensive analysis of cell phones as “containers” and cell phone searches in the vehicle context, we find no reason not to extend the reasoning in Riley from the search incident to arrest exception to the vehicle exception. Just as “[c]ell phones differ in both a quantitative and a qualitative sense from other objects that might be kept on an arrestee’s person,” so too do cell phones differ from any other object officers might find in a vehicle. Id. at 2489. Today’s cell phones are unlike any of the container examples the Supreme Court has provided in the vehicle context. Whereas luggage, boxes, bags, clothing, lunch buckets, orange crates, wrapped packages, glove compartments, and locked trunks are capable of physically “holding another object,” see Belton, 453 U.S. at 460 n.4, “[m]odern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse,” Riley, 134 S. Ct. at 2488–89. In fact, “a cell phone search would typically expose to the government far more than the most exhaustive search of a house.”

The court also refused to let the agent off the hook with the oft-used and abused "good faith exception."

The governing law at the time of the search made clear that a search incident to arrest had to be contemporaneous with the arrest. See, e.g., United States v. Hudson, 100 F.3d 409, 1419 (9th Cir. 1996). The government has not met its burden to prove that a reasonably well-trained officer in Agent Walla’s position could have believed that the search of Camou’s cell phone one hour and 20 minutes after Camou’s arrest was lawful…

The Supreme Court has never applied the good faith exception to excuse an officer who was negligent himself, and whose negligence directly led to the violation of the defendant’s constitutional rights. Here, the government fails to assert that Agent Walla relied on anyone or anything in conducting his search of Camou’s cell phone, let alone that any reliance was reasonable. The government instead only asserts that by searching the phone, Agent Walla was not acting “recklessly[,] or deliberately” misbehaving. In this case, the good faith exception cannot apply.

As Orin Kerr points out in his analysis of this decision, it's somewhat surprising that the government didn't introduce the "Constitution-Free Zone" border free-for-all into its arguments for the legitimacy of a warrantless cellphone search. Kerr speculates that it maybe had too many exceptions in play already and that adding this might have produced nothing more than confusion. In the end, it's the results that matter. An agent discovered child porn stored on a cellphone but government prosecutors are unable to do anything with that evidence because no warrant was obtained.

The same can be said for the next case, even though the underlying circumstances are different.

Homeland Security investigators set up a child porn sting in Brownsville, Texas. It tracked downloads to a residence via the IP address and set up surveillance. Although the IP address traced back to the house, there appeared to be no one living there. The agents then approached the house and spoke to the two residents. One of the residents, Miguel Beckes, had his laptop and external hard drives searched without a warrant. Beckes did sign a consent form but conflicting testimonies make it unclear as to whether he was ever clearly informed that he was giving agents permission to search his electronics.

The agents searched Beckes' devices and found over 800 child porn images. The next day, the agents filed a criminal complaint against Beckes for one count of possession. Nearly 10 days later, they finally acquired a warrant to search the electronics they had already searched.

The judge notes that the government has the burden of proof when it comes to voluntary consent. Beckes' testimony suggests the agents mislead him, referring to "suspicious activity" in his neighborhood, rather than what they were actually looking for. The judge also points out Beckes' mental status (a mental capacity below what's expected for someone his age, according to a psychiatric exam) as being part of the issue [pdf link].

The judge goes into much further detail of the investigator's wrongdoing towards the end of the decision.

[T]he Court is puzzled at the HSI agents failure to utilize the procedures available to legitimize or at least document this type of investigation and thus avoid the ensuing dispute regarding the validity of the search altogether. At least one year before Agent Baker visited Beckes' residence, he had evidence that child pornography was being downloaded to an IP address associated with that location; evidence he deemed sufficient to apply for and actually receive a warrant to search Beckes' home. Although this IP address was canceled before Agent Baker could execute the search warrant, in January of 2014 -- at least eight months before his visit to Beckes' residence -- Agent Baker discovered that child pornography was again being downloaded to an IP address associated with the same residence.

Despite this evidence, which obviously would have been sufficient to obtain a second search warrant… the agents instead chose to proceed without a warrant and rely on attempts to secure the suspects' voluntary consent to search their electronic devices. Then, having decided on this course of action, they did not even attempt to get a signed consent to search form to document this assent. These forms were obviously available in their own office. Although foregoing the necessary procedural safeguards may have seemed expedient at the time, there was no suggestion that time was of the essence or that any other reason existed for not getting a warrant, or at least proof that consent was given.

Further, the steps the agents took after securing the pornographic images from Beckes' laptop computer suggest that they too doubted the legitimacy of Beckes' consent to search. After arriving with Beckes at the HSI office, Agent Baker had him sign a consent to search form that included devices that had already been searched at Beckes' residence. Then, nine days after the complaint against Beckes was filed in federal court, Agent Baker applied for and received a warrant to search Beckes' electronic devices -- a warrant that included devices Baker had already searched twice. Had he considered Beckes' initial consent to search inarguably valid, Agent Baker likely would have deemed these subsequent actions unnecessarily redundant.

The final decision is much like the one above. The images found during the search at Beckes' home are suppressed, along with everything found past that point, including his confession. In the former, the government is pretty much left with pursuing trafficking charges. In the latter, the entire case against Beckes' is almost completely dismantled. Rather than abide by the processes and controls that ensure the usability of evidence as well as protect citizens' rights, agents under the DHS's large umbrella decided to improvise -- and, in doing so, managed to let two people with child porn in their possession off the hook.

from the bucking-a-trend? dept

The US Supreme Court recently ruled -- despite panicky DOJ arguments otherwise -- that cell phones are unlike someone's pant pockets or little black book and can't be simply searched incident to arrest just because the arrestee (like nearly every American) happens to have one on their person. The decision noted that the capability and capacity of modern cell phones makes them incomparable to other items cited in previous decisions on warrantless searches.

One of the most notable distinguishing features of modern cell phones is their immense storage capacity. Before cell phones, a search of a person was limited by physical realities and tended as a general matter to constitute only a narrow intrusion on privacy.... Most people cannot lug around every piece of mail they have received for the past several months, every picture they have taken, or every book or article they have read—nor would they have any reason to attempt to do so. And if they did, they would have to drag behind them a trunk of the sort held to require a search warrant in Chadwick, supra, rather than a container the size of the cigarette package in Robinson.

This description of today's smartphones is universal. The leap in technological capability and storage capacity should give any judicial system pause when considering law enforcement's general assertion that they should be able to fully search anything carried by an arrestee. Unfortunately, Canada's Supreme Court has weighed the same factors and arrived at the opposite conclusion. (via Reason)

In a crime ruling that earned it rare praise from the federal government, the Supreme Court of Canada said police may search cellphones without a warrant when they make an arrest.

Much like in the US, the impetus for warrantless searches is (and has been for quite some time) the eternal War on Drugs.

Cellphones are the bread and butter of the drug trade, the majority said in a 4-3 ruling. It said police have been given the “extraordinary power” to do warrantless searches during an arrest, under common-law rules developed by judges over centuries, because of the importance of prompt police investigations.

"Prompt police investigations" that apparently would be derailed by the "rigors" of warrant approval. These words would carry more weight if the warrant approval process wasn't generally the epitome of ease and efficiency. This also seems to ignore a crucial aspect of the issue under discussion: the arrestees affected are detained, along with all their belongings, until law enforcement decides to free them. There's plenty of time to obtain a warrant because the person and his/her cell phone aren't going anywhere. (Not to mention the fact that cell phones are the "bread and butter" of pretty much everybody, not just those in the drug trade.)

The majority echoed law enforcement's narrative of forever being behind the technological curve.

“Prompt access by law enforcement to the contents of a cellphone may serve the purpose of identifying accomplices or locating and preserving evidence that might otherwise be lost or destroyed,” Justice Thomas Cromwell wrote for the majority, joined by Chief Justice Beverley McLachlin and Justices Richard Wagner and Michael Moldaver.

Law enforcement personnel act as though every arrestee's cell phone contains a self-destruct switch, even though there's been very little evidence produced that even suggests this is a common occurrence. Even if true, there are ways of circumventing this while obtaining a warrant. What law enforcement agencies really want (but never say in so many words) is the opportunity to image a phone's contents without a warrant -- something that gives them access to far more data and communications than any warrantless search performed previous to the ubiquity of smartphones. Because of this, rules should be stricter, not looser.

But the majority decision ignores this, handing out a small list of stipulations that will do next to nothing to prevent abuse.

The majority said the search must be tailored to its purpose, which will generally mean that only recent e-mails, texts, photos and the call log will be available.

Define "recent." Somebody needs to because the decision does not. It simply says that only "recent" documents should be accessed. Once again, the court defers to the judgement of law enforcement officials to follow the (loose) guidelines and only access what it's permitted to… whatever that time period actually is. It could be two weeks. It could be two months. It could be everything on the phone because it's only six months old.

This stipulation narrows things down a bit, but still leaves it in the hands of officers to perform warrantless searches in accordance with the spirit of the ruling. (Because the letter of the ruling doesn't actually exist.)

Finally, the police must take detailed notes of what they have examined on the device and how they examined it. The notes should generally include the applications searched, the extent of the search, the time of the search, its purpose and its duration. The record‑keeping requirement is important to the effectiveness of after‑the‑fact judicial review. It will also help police officers to focus on whether what they are doing in relation to the phone falls squarely within the parameters of a lawful search incident to arrest.

Again, this is a deferral to law enforcement. The decision simply asks officers to be honest about searches and record everything accessed. Like many rulings of this type, there is no deterrent, only a handful of post facto remedies to be pursued at the violated person's expense. At best, all someone can hope for is that evidence will be excluded without an extended legal battle. But that's a very slim hope. Even in the case being addressed here, the Supreme Court declared the search violated the appellant's rights, but still refused to exclude the evidence.

I pause here for a moment to note that some courts have suggested that the protection s. 8 affords to individuals in the context of cell phone searches varies depending on whether an individual’s phone is password-protected. I would not give this factor very much weight in assessing either an individual’s subjective expectation of privacy or whether that expectation is reasonable. An individual’s decision not to password protect his or her cell phone does not indicate any sort of abandonment of the significant privacy interests one generally will have in the contents of the phone. Cell phones – locked or unlocked – engage significant privacy interests.

So, at least there's that -- the instruction that just because someone doesn't take active measures to protect their phone's contents from others isn't an implicit suggestion that law enforcement officers are welcome to page through phones at their leisure. Of course, the lack of a warrant requirement does that for them, just so long as they remember to only look at "recent" stuff when searching an arrestee's phone. And there's a certain amount of incongruity in demanding a warrant for a cell phone found at someone's home, rather than for the one found in their pocket.

A warrant requirement is far from onerous, especially considering the wealth of information contained in most smartphones. A warrant requirement is nothing more than a nod to the changing times. People carry personal computers in their pockets and the court needs to recognize that the old rules are no longer applicable. If you can't search a person's computers, personal files and other items without one, you shouldn't be able to do so just because these all reside in someone's pockets. As it stands now, Canada's Supreme Court stands in the awkward position of demanding warrants for access to ISP subscriber info, but not for an arrestee's cell phone contents.

In a unanimous decision written by (Harper appointee) Justice Thomas Cromwell, the court issued a strong endorsement of Internet privacy, emphasizing the privacy importance of subscriber information, the right to anonymity, and the need for police to obtain a warrant for subscriber information except in exigent circumstances or under a reasonable law.

Prior to the court decision, the RCMP and border agency estimate, it took about five minutes to complete the less than one page of documentation needed to ask for subscriber information, and the company usually turned it over immediately or within one day.

Five minutes! Amazing. And disturbing. A 5-minute process indicates no one involved made even the slightest effort to prevent abuse of the process. The court's decision has dialed back that pace considerably. The RCMP is now complaining that it takes "10 hours" to fill out the 10-20 pages required to obtain subscriber info. It's also unhappy with the turnaround time, which went from nearly immediate to "up to 30 days."

In response, the RCMP has done what other law enforcement agencies have done when encountering a bit of friction: given up.

"Evidence is limited at this early stage, but some cases have already been abandoned by the RCMP as a result of not having enough information to get a production order to obtain (basic subscriber information)," the memo says.

The RCMP also points out that the 30-day response period will sometimes outlast the 30-day IP log retention period, resulting in information being destroyed before the agency can access it. It also notes that it's facing a bit of backlash in the wake of the Supreme Court's decision.

Banks, hotels, and car rental companies are reviewing the Supreme Court decision and "a few have signalled less voluntary co-operation" in future.

Yeah, that's a shame. But it seems to be a feeling that's becoming increasingly common as the pendulum swings back towards protecting the rights of the public. Several companies have spent years being forced to play the submissive part in this involuntary relationship, handing out an endless number of "how highs" in response to the government's "jump!" orders. "Less voluntary" is what the future holds for intelligence agencies and law enforcement alike.

If the RCMP is dropping cases because it doesn't have enough put together to "fulfill the requirements" of its warrant paperwork, then it really doesn't have enough of a case put together to be demanding that third parties turn over information related to the suspect. It's that simple. The cases it has dropped obviously aren't strong enough to justify attempts to gather more information. The warrant requirement is going to turn the RCMP into a better law enforcement agency -- one that doesn't pursue certain investigations just because they're easy. This forces the RCMP to better evaluate its caseload and cut loose those that suffer from a dearth of information. The RCMP may now be counting up its theoretical losses (the cases that it's dropping), but Canadian citizens are better protected against ad hoc bulk surveillance and law enforcement fishing expeditions.

from the this-could-get-messy dept

Techdirt has been following the extremely important case where a US magistrate judge ruled that Microsoft had to comply with a warrant asking for data held on servers in Dublin. Clearly, if this stands, it will have big implications for cloud computing -- and a massive negative impact on US businesses trying to sell such services around the world. For that reason, Microsoft has been fighting back in the courts, so far unsuccessfully.

A case involving Microsoft that is currently before the US courts has raised important issues between the respective legal regimes in the European Union and the United States, particularly in relation to the protection of personal data.

The case in question has given rise to a degree of legal uncertainty and the outcome could have potentially serious implications for data protection in the EU.

By seeking direct access to data held in the EU through the US judicial system, existing legal mechanisms for mutual assistance between jurisdictions may be being effectively bypassed. There are fundamental issues at stake here as regards the protection of personal data that is held within the European Union.

"Existing legal mechanisms" presumably means the Mutual Legal Assistance Treaty that would allow the US to request the data it wants from the Irish government. The "fundamental issues at stake" refer to the fact that by trying to take a more direct route, without involving the Irish government, the US authorities are likely to fall foul of European data protection laws, which do not allow personal data to be handed over in this way. The Irish minister is clearly asking the European Commission to support Microsoft in its fight against the US court's decision:

I urge the Commission to consider the arguments that Microsoft are making with respect to this case.

That's an indication that the Irish government -- and doubtless those elsewhere in the EU -- really want Microsoft to win. If it doesn't, there is going to be a clash of jurisdictions that could get very messy as both US and EU insist that their laws must take precedence, with serious consequences if they don't....

from the because-surveillance-is-fun,-yo dept

The Wall Street Journal broke the news that the DOJ has been spying on tons of innocent Americans by putting fake mobile phone towers on airplanes and scooping up all sorts of data from people who thought they were connecting to regular mobile phone towers.

The U.S. Marshals Service program, which became fully functional around 2007, operates Cessna aircraft from at least five metropolitan-area airports, with a flying range covering most of the U.S. population, according to people familiar with the program.

Planes are equipped with devices—some known as “dirtboxes” to law-enforcement officials because of the initials of the Boeing Co. unit that produces them—which mimic cell towers of large telecommunications firms and trick cellphones into reporting their unique registration information.

The technology in the two-foot-square device enables investigators to scoop data from tens of thousands of cellphones in a single flight, collecting their identifying information and general location, these people said.

We have, of course, reported for a while now on so-called Stingray devices, which mimic mobile phone towers on the ground (and have noted that Stingray is just one brand of a few such devices, known as IMSI catchers), but putting them on special planes and flying them around would allow law enforcement agencies to get a lot more information on a lot more people. Given that law enforcement efforts like this are supposed to be narrowly targeted towards those actually suspected of breaking the law, this seems like a massive 4th Amendment abuse, creating mass surveillance programs for law enforcement with little real oversight or control.

While it may not be entirely surprising that this is happening, it is yet another surveillance program being done with zero public transparency, zero public debate and zero public input. That's a huge concern as we've seen time and time again how such programs get abused.

And, while the WSJ doesn't come out and say it, it certainly sounds like it got this info from a concerned whistleblower inside the US Marshals Service:

Within the Marshals Service, some have questioned the legality of such operations and the internal safeguards, these people said. They say scooping up of large volumes of information, even for a short period, may not be properly understood by judges who approve requests for the government to locate a suspect’s phone.

Some within the agency also question whether people scanning cellphone signals are doing enough to minimize intrusions into the phone system of other citizens, and if there are effective procedures in place to safeguard the handling of that data.

As such programs keep getting disclosed, think of how many such other programs there are that we just don't know about?